i reading about php security these days and i'm dizzy, please explain clear!
i know i should use strip_tags()
or htmlentities()
for XSS attacks. but if i need some where html tags, same as blog post, what should i do!?
but where should i use mysql_real_escape_string()
and add_magic_quotes()
?
are these same?
an other question is, should i use mysql_real_escape_string() for every SQL query? (INSERT
, UPDATE
,SELECT
, DELETE
, etc.)? can this function has bad effect on my data (for example, on a blog post that has html tags or '
, ""
)?
i know i should use strip_tags()
or htmlentities()
for XSS attacks. but if i need some where html tags, same as blog post, what should i do!?
If you don't trust the users, then parse the HTML, run all the elements and attributes through a whitelister, then serialise the document back to HTML.
but where should i use mysql_real_escape_string() and add_magic_quotes()? are these same?
They aren't the same, and you should, generally speaking, avoid them. Use bound parameters instead.
an other question is, should i use mysql_real_escape_string() for every SQL query?
You should escape all user input before passing it to a dabtas.
Forget about magic_quotes. It was a lazy way to automatically escape certain control characters found within user input. Continue learning about newer and more efficient methods to filter/sanitize user input and you'll discover why magic_quotes has been deprecated.
can this function has bad effect on my data (for example, on a blog
post that has html tags or ', "")?
You shouldn't have any problems because the data isn't stored in the database with the extra slashes. If it is, there's a good chance magic_quotes is enabled and needs to be turned off.
should i use mysql_real_escape_string() for every SQL query?
User input needs to be filtered/sanitized before using it to make a query. Use that function, or prepared statements.
If you need to allow HTML within a blog post, you should whitelist tags and attributes, but you should not attempt this yourself. Instead, use HTMLPurifier. Use if before storing in the database as it is heavy and slow, but very safe.
http://htmlpurifier.org/
Magic quotes should not be used at all. Ever. mysql_real_escape_string() should be used on every single argument provided in the query. It is all that is needed to prevent SQL injections. Of course, making sure the connection expects the character encoding you are actually sending is a prerequisite.
The idea of a generic sanitation function is a broken concept.
There is one right sanitation method for every purpose. Running a generic sanitation method on a string will often break it - escaping a piece of HTML code for a SQL query will break it for use in a web page, and vice versa. Sanitation should be applied right before using the data:
mysql_real_escape_string() for functional mysql_* calls (or parametrized queries)
htmlspecialchars() for safe HTML output
preg_quote() for use in a regular expression
escapeshellarg() / escapeshellcmd() for use in an external command
etc. etc.
Using a "one size fits all" sanitation function is like using five kinds of highly toxic insecticide on a plant that can by definition only contain one kind of bug - only to find out that your plants are infested by a sixth kind, on which none of the insecticides work.
Always use that one right method, ideally straight before passing the data to the function. Never mix methods unless you need to.